diff options
| author | George Rawlinson | 2020-11-26 12:24:44 +1300 |
|---|---|---|
| committer | George Rawlinson | 2020-11-26 12:24:44 +1300 |
| commit | 360cff934c751de3ec4db0a5abab2f71dce4345e (patch) | |
| tree | fed8aeba9c47dd4ca04db42ed6e1a645cbf89896 | |
| parent | b093795d9ca378ee8f27017a5883985a46d90f68 (diff) | |
| download | aur-360cff934c751de3ec4db0a5abab2f71dce4345e.tar.gz | |
upgpkg: prometheus-ipmi-exporter 1.3.1-2
harden systemd service
| -rw-r--r-- | .SRCINFO | 4 | ||||
| -rw-r--r-- | PKGBUILD | 4 | ||||
| -rw-r--r-- | prometheus-ipmi-exporter.service | 30 |
3 files changed, 33 insertions, 5 deletions
@@ -1,7 +1,7 @@ pkgbase = prometheus-ipmi-exporter pkgdesc = Prometheus exporter for IPMI metrics pkgver = 1.3.1 - pkgrel = 1 + pkgrel = 2 url = https://github.com/soundcloud/ipmi_exporter arch = x86_64 license = MIT @@ -14,7 +14,7 @@ pkgbase = prometheus-ipmi-exporter source = prometheus-ipmi-exporter.sysusers b2sums = 072b9bcdb6346c84d82ab86eb4034b50dd0ef057f14e593d41adc4a2f7de794c1e532bdcececf0916c9029c80916c501501a80efb595405ee59cfc50bba68b18 b2sums = 39663e6da79867687a85662a49c3d70f97ca1f528562b67928265f512718d975feb9b3a2ab5f169f72f947eb334b02bbcd307c4f0641e6a18d05e9d2824b934e - b2sums = 093e8a00fedfa18fe13bb43638edcb99fe0ca546b7ba2a7c6bb887083c14eaf7ba5041011af4554859a916de7a2f78e8ae575df57d8f3e59fb88a7a91e3a3021 + b2sums = 428d9b1afbe59888966ac900c1e3b8bbef2ae1cee229e690a39d29883663503dd650d0a537126f10bb6e1b5241c8ee297c121537f8980ca1e1d0e8dab9c86fb4 b2sums = 93e62d3bacccb26e808271fa4f576dc5e67cb5111f7d0c744a4f029aa3974de29742b4301f4058db38884de1cb049969c533291daf0fa6a9f3175a77c72b0001 pkgname = prometheus-ipmi-exporter @@ -3,7 +3,7 @@ pkgname=prometheus-ipmi-exporter _pkgname=ipmi_exporter pkgver=1.3.1 -pkgrel=1 +pkgrel=2 pkgdesc="Prometheus exporter for IPMI metrics" arch=(x86_64) url="https://github.com/soundcloud/ipmi_exporter" @@ -17,7 +17,7 @@ source=("$pkgname-$pkgver.tar.gz::$url/archive/v$pkgver.tar.gz" "$pkgname.sysusers") b2sums=('072b9bcdb6346c84d82ab86eb4034b50dd0ef057f14e593d41adc4a2f7de794c1e532bdcececf0916c9029c80916c501501a80efb595405ee59cfc50bba68b18' '39663e6da79867687a85662a49c3d70f97ca1f528562b67928265f512718d975feb9b3a2ab5f169f72f947eb334b02bbcd307c4f0641e6a18d05e9d2824b934e' - '093e8a00fedfa18fe13bb43638edcb99fe0ca546b7ba2a7c6bb887083c14eaf7ba5041011af4554859a916de7a2f78e8ae575df57d8f3e59fb88a7a91e3a3021' + '428d9b1afbe59888966ac900c1e3b8bbef2ae1cee229e690a39d29883663503dd650d0a537126f10bb6e1b5241c8ee297c121537f8980ca1e1d0e8dab9c86fb4' '93e62d3bacccb26e808271fa4f576dc5e67cb5111f7d0c744a4f029aa3974de29742b4301f4058db38884de1cb049969c533291daf0fa6a9f3175a77c72b0001') build() { diff --git a/prometheus-ipmi-exporter.service b/prometheus-ipmi-exporter.service index fefd63dbb3b6..632877fc8428 100644 --- a/prometheus-ipmi-exporter.service +++ b/prometheus-ipmi-exporter.service @@ -10,8 +10,36 @@ ExecReload=/bin/kill -HUP $MAINPID User=ipmi-exporter Group=ipmi-exporter Restart=on-failure +RestartSec=5s + NoNewPrivileges=true -ProtectSystem=true +LimitNOFILE=1048576 +UMask=0077 + +ProtectSystem=strict +ProtectHome=true +PrivateUsers=yes +PrivateTmp=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=true +LockPersonality=true +MemoryDenyWriteExecute=true +RestrictRealtime=true +RestrictSUIDSGID=true +RemoveIPC=true +CapabilityBoundingSet= +AmbientCapabilities= + +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources +SystemCallArchitectures=native [Install] WantedBy=multi-user.target |